Security concerns present a significant obstacle to the advancement of online business. Authenticating clientele while protecting clientele identity is particularly crucial in the areas of online banking and financial management. To address these concerns, most online enterprises utilize some form of authentication to verify the identity of their clientele. Some of the most common forms of authentication require a user to provide a user name and a password to a host website before the user is given access to sensitive information or resources. The user name and password are authenticated to determine if they match the profile of a legitimate user. To further enhance this authentication process, a host website may also require a user to enter some form of a user identifier (e.g., a personal identification number (PIN)) that must correlate with the user name and password for the user to successfully be authenticated.
Despite the apparent security provided by these authentication methods, many of these methods are vulnerable to attack by entities that wish to intercept the authentication information provided by a user. If an entity successfully intercepts this information, such as a user name, password, and user identifier, the entity can then fraudulently identify itself as the legitimate user and impermissibly gain access to sensitive information and/or valuable resources. Attacks on authentication processes may take the form of malicious software, or “malware”, such as key logging software, spyware, adware, and other pernicious software that may reside on a user's computer and/or a server. For example, if a user's computer is infected with key logging software, an entity can observe a user's keystrokes during an authentication session and based on the keys pressed by the user, team the user's user name, password, and user identifier. Other forms of attack monitor screen-based input, such as the selection of hypertext markup language (HTML) input controls on an HTML PIN pad. If an entity can intercept a value associated with a selected HTML input control, the entity may be able to glean important user authentication information from it.